×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
CCP_tech
Loves-to-Learn Lots
Member since: ‎12-17-2024
‎01-13-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-17-2024
Activity Feed
Topics I've Started
View All

Re: Splunk table query

by in Splunk Search
‎12-18-2024 03:53 AM
‎12-18-2024 03:53 AM
My bad - The LogText column has the key word (connected or disconnected) with other texts. It will some kind of wildcard lookup for either of these 2 words. So, I'm looking to extract row 4 and 5 which has the "disconnected" text and where there isn't an associated connected row within say 120 secs.  Row Time LogText 1 7:00:00am text connected text 2 7:30:50am text disconnected text 3 7:31:30am text connected text 4 8:00:10am text disconnected text 5 8:10:30am text disconnected text ... View more

Re: Splunk table query

by in Splunk Search
‎12-17-2024 11:41 PM
‎12-17-2024 11:41 PM
Thanks for response. I will try it out. ... View more

Splunk table query

by in Splunk Search
‎12-17-2024 11:24 AM
‎12-17-2024 11:24 AM
I've piped a Splunk log query extract into a table showing disconnected and connected log entries sorted by time. NB row 1 is fine. Row 2 is fine because it connected within 120 sec. Now I want to show "disconnected" entries with no subsequent "connected" row say within a 120 sec time frame.  So, I want to pick up rows 4 and 5. Can someone advise on the Splunk query format for this? Table = Connect_Log Row Time Log text 1 7:00:00am connected 2 7:30:50am disconnected 3 7:31:30am connected 4 8:00:10am disconnected 5 8:10:30am disconnected ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-13-2025 03:26 PM